bitnami-labs · juan131 · Dec 16, 2021 · Dec 16, 2021 · Dec 16, 2021 · Dec 16, 2021
@@ -43,7 +43,7 @@ jobs:
         run: ct lint --config helm/ct.yaml --check-version-increment=false
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.1.0
+        uses: helm/kind-action@v1.2.0
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)

@@ -28,9 +28,9 @@ jobs:
           version: v3.4.2
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.2.0
+        uses: helm/chart-releaser-action@v1.2.1
         with:
           charts_dir: helm
-          config: cr.yaml
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_RELEASE_NAME_TEMPLATE: "helm-v{{ .Version }}"
@@ -1,14 +1,19 @@
-name: sealed-secrets
+annotations:
+  category: DeveloperTools
+apiVersion: v2
+appVersion: v0.17.1
 description: Helm chart for the sealed-secrets controller.
-
-version: 1.16.1
-appVersion: v0.16.0
-
-kubeVersion: ">=1.16.0-0"
 home: https://github.com/bitnami-labs/sealed-secrets
-icon: https://avatars0.githubusercontent.com/u/34656521?s=200&v=4
-apiVersion: v2
-type: application
+icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png
+keywords:
+  - secrets
+  - sealed-secrets
+kubeVersion: ">=1.16.0-0"
 maintainers:
-- name: mkmik
-  email: mmikulicic@gmail.com
+  - email: containers@bitnami.com
+    name: Bitnami
+  - name: mkmik
+    email: mmikulicic@gmail.com
+name: sealed-secrets
+type: application
+version: 2.0.0
@@ -1,42 +1,41 @@
-{{ if .Values.controller.create -}}
+{{ if .Values.createController -}}
+
+** Please be patient while the chart is being deployed **
+
 You should now be able to create sealed secrets.
 
-1. Install client-side tool into /usr/local/bin/
+1. Install the client-side tool (kubeseal) as explained in the docs below:
 
-GOOS=$(go env GOOS)
-GOARCH=$(go env GOARCH)
-wget https://github.com/bitnami-labs/sealed-secrets/releases/download/{{ .Values.image.tag }}/kubeseal-$GOOS-$GOARCH
-sudo install -m 755 kubeseal-$GOOS-$GOARCH /usr/local/bin/kubeseal
+    https://github.com/bitnami-labs/sealed-secrets#installation-from-source
 
-2. Create a sealed secret file
+2. Create a sealed secret file running the command below:
 
-# note the use of `--dry-run` - this does not create a secret in your cluster
-kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] | \
- kubeseal \
- --controller-name={{ template "sealed-secrets.fullname" . }} \
- --controller-namespace={{ .Release.Namespace }} \
- --format [json|yaml] > mysealedsecret.[json|yaml]
+    kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o [json|yaml] | \
+    kubeseal \
+      --controller-name={{ include "sealed-secrets.fullname" . }} \
+      --controller-namespace={{ include "sealed-secrets.namespace" . }} \
+      --format yaml > mysealedsecret.[json|yaml]
 
 The file mysealedsecret.[json|yaml] is a commitable file.
 
-If you would rather not need access to the cluster to generate the sealed secret you can run
+If you would rather not need access to the cluster to generate the sealed secret you can run:
 
-kubeseal \
- --controller-name={{ template "sealed-secrets.fullname" . }} \
- --controller-namespace={{ .Release.Namespace }} \
- --fetch-cert > mycert.pem
+    kubeseal \
+      --controller-name={{ include "sealed-secrets.fullname" . }} \
+      --controller-namespace={{ include "sealed-secrets.namespace" . }} \
+      --fetch-cert > mycert.pem
 
 to retrieve the public cert used for encryption and store it locally. You can then run 'kubeseal --cert mycert.pem' instead to use the local cert e.g.
 
-kubectl create secret generic secret-name --dry-run --from-literal=foo=bar -o [json|yaml] | \
-kubeseal \
- --controller-name={{ template "sealed-secrets.fullname" . }} \
- --controller-namespace={{ .Release.Namespace }} \
- --format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml]
+    kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o [json|yaml] | \
+    kubeseal \
+      --controller-name={{ include "sealed-secrets.fullname" . }} \
+      --controller-namespace={{ include "sealed-secrets.namespace" . }} \
+      --format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml]
 
 3. Apply the sealed secret
 
-kubectl create -f mysealedsecret.[json|yaml]
+    kubectl create -f mysealedsecret.[json|yaml]
 
 Running 'kubectl get secret secret-name -o [json|yaml]' will show the decrypted secret that was generated from the sealed secret.
 

@@ -1,17 +1,3 @@
-{{/*
-Expand to the namespace sealed-secrets installs into.
-*/}}
-{{- define "sealed-secrets.namespace" -}}
-{{- default .Release.Namespace .Values.namespace -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "sealed-secrets.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*
 Expand the name of the chart.
 */}}
@@ -37,6 +23,20 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Expand to the namespace sealed-secrets installs into.
+*/}}
+{{- define "sealed-secrets.namespace" -}}
+{{- default .Release.Namespace .Values.namespace -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sealed-secrets.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}
@@ -47,3 +47,156 @@ Create the name of the service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Kubernetes standard labels
+*/}}
+{{- define "sealed-secrets.labels" -}}
+app.kubernetes.io/name: {{ include "sealed-secrets.name" . }}
+helm.sh/chart: {{ include "sealed-secrets.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+{{- end -}}
+
+{{/*
+Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+*/}}
+{{- define "sealed-secrets.matchLabels" -}}
+app.kubernetes.io/name: {{ include "sealed-secrets.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Return true if cert-manager required annotations for TLS signed certificates are set in the Ingress annotations
+Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
+*/}}
+{{- define "sealed-secrets.ingress.certManagerRequest" -}}
+{{ if or (hasKey . "cert-manager.io/cluster-issuer") (hasKey . "cert-manager.io/issuer") }}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "sealed-secrets.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "sealed-secrets.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
+
+{{/*
+Return the target Kubernetes version
+*/}}
+{{- define "sealed-secrets.kubeVersion" -}}
+{{- if .Values.global }}
+    {{- if .Values.global.kubeVersion }}
+    {{- .Values.global.kubeVersion -}}
+    {{- else }}
+    {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+    {{- end -}}
+{{- else }}
+{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "sealed-secrets.deployment.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "sealed-secrets.ingress.apiVersion" -}}
+{{- if .Values.ingress -}}
+{{- if .Values.ingress.apiVersion -}}
+{{- .Values.ingress.apiVersion -}}
+{{- else if semverCompare "<1.14-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end }}
+{{- else if semverCompare "<1.14-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "sealed-secrets.networkPolicy.apiVersion" -}}
+{{- if semverCompare "<1.7-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+Usage:
+{{ include "sealed-secrets.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
+
+Params:
+  - serviceName - String. Name of an existing service backend
+  - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
+  - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "sealed-secrets.backend" -}}
+{{- $apiVersion := (include "sealed-secrets.ingress.apiVersion" .context) -}}
+{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
+serviceName: {{ .serviceName }}
+servicePort: {{ .servicePort }}
+{{- else -}}
+service:
+  name: {{ .serviceName }}
+  port:
+    {{- if typeIs "string" .servicePort }}
+    name: {{ .servicePort }}
+    {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
+    number: {{ .servicePort | int }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Print "true" if the API pathType field is supported
+Usage:
+{{ include "sealed-secrets.supportsPathType" . }}
+*/}}
+{{- define "sealed-secrets.supportsPathType" -}}
+{{- if (semverCompare "<1.18-0" (include "sealed-secrets.kubeVersion" .)) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the ingressClassname field is supported
+Usage:
+{{ include "sealed-secrets.supportsIngressClassname" . }}
+*/}}
+{{- define "sealed-secrets.supportsIngressClassname" -}}
+{{- if semverCompare "<1.18-0" (include "sealed-secrets.kubeVersion" .) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
@@ -2,15 +2,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "sealed-secrets.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ template "sealed-secrets.name" . }}
-    helm.sh/chart: {{ template "sealed-secrets.chart" . }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+  name: {{ include "sealed-secrets.fullname" . }}
+  labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
     {{- if .Values.rbac.labels }}
-{{ toYaml .Values.rbac.labels | indent 4 }}
+    {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -19,6 +14,6 @@ roleRef:
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
-    name: {{ template "sealed-secrets.serviceAccountName" . }}
-    namespace: {{ template "sealed-secrets.namespace" . }}
+    name: {{ include "sealed-secrets.serviceAccountName" . }}
+    namespace: {{ include "sealed-secrets.namespace" . }}
 {{ end }}
@@ -3,14 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: secrets-unsealer
-  labels:
-    app.kubernetes.io/name: {{ template "sealed-secrets.name" . }}
-    helm.sh/chart: {{ template "sealed-secrets.chart" . }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+  labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
     {{- if .Values.rbac.labels }}
-{{ toYaml .Values.rbac.labels | indent 4 }}
+    {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
 rules:
   - apiGroups:

@@ -1,21 +1,15 @@
-{{- if .Values.dashboards.create }}
-{{- $namespace := .Values.dashboards.namespace | default $.Release.Namespace }}
+{{- if .Values.metrics.dashboards.create }}
+{{- $namespace := .Values.metrics.dashboards.namespace | default $.Release.Namespace }}
 {{- range $path, $_ :=  .Files.Glob  "dashboards/*.json" }}
 {{- $filename := trimSuffix (ext $path) (base $path) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ template "sealed-secrets.fullname" $ }}-{{ $filename }}
+  name: {{ printf "%s-%s" (include "sealed-secrets.fullname" $) $filename }}
   namespace: {{ $namespace }}
-  labels:
-    grafana_dashboard: "1"
-    app.kubernetes.io/name: {{ template "sealed-secrets.name" $ }}
-    helm.sh/chart: {{ template "sealed-secrets.chart" $ }}
-    app.kubernetes.io/managed-by: {{ $.Release.Service }}
-    app.kubernetes.io/instance: {{ $.Release.Name }}
-    app.kubernetes.io/version: {{ $.Chart.AppVersion }}
-    {{- if $.Values.dashboards.labels }}
-    {{- toYaml $.Values.dashboards.labels | nindent 4 }}
+  labels: {{- include "sealed-secrets.labels" $ | nindent 4 }}
+    {{- if $.Values.metrics.dashboards.labels }}
+    {{- include "sealed-secrets.render" ( dict "value" $.Values.serviceAccount.labels "context" $) | nindent 4 }}
     {{- end }}
 data:
   {{ base $path }}: |-